Open, reproducible, and auditable engagements.
We publish the frameworks we use, the tools we run, and the evidence we produce. No black-box vendor magic.
How we work — open, reproducible, auditable.
Every engagement maps to published frameworks (PTES, OWASP WSTG / MASVS, OSSTMM, NIST SP 800-115, MITRE ATT&CK) so your auditors and engineers see the same story.
- 01
Scoping
Objectives, rules of engagement, threat model, success criteria.
Output · Signed SOW + ROE - 02
Reconnaissance
Attack-surface discovery, asset graph, exposure scoring.
Output · Asset graph - 03
Exploitation
Manual + tooled exploitation aligned to PTES, OWASP, MITRE ATT&CK.
Output · Kill-chain log - 04
Reporting
Developer-grade writeups with reproduction, PoC, CVSSv4, and fix guidance.
Output · Finding + PoC - 05
Remediation
Paired work with your engineering team; retests at no extra cost.
Output · Fix PR + retest - 06
Continuous
Findings platform, weekly syncs, delta-retests on every release.
Output · Live dashboard
What every finding looks like
A finding is a contract. Engineers get reproducible steps, auditors get mapped evidence, and leaders get a measurable fix plan. Same shape. Every time.
$ cat findings/PS-1142.yamlid: PS-1142severity: critical # CVSSv4 9.1 · tenant-isolation bypassscope: api.confidential-org.com/v2/orgs/:id/invoicescwe: [CWE-639] # Authorization Bypass Through User-Controlled Keyattack: [T1190, T1552.001]repro:- login as tenant A, note org_id=77a2...- GET /v2/orgs/{victim_id}/invoices with A's session- server returns 200 + victim PII (7-line PoC attached)fix:- enforce tenant-scope guard at router middleware- add contract test: cross-tenant GET must 403- detection: log org_id mismatch in access.log
Deliverables spec
- ·One-line summary + severity (CVSSv4 + business impact)
- ·Reproduction steps + PoC (shell, HTTP, script)
- ·Affected scope + data classes
- ·Fix guidance per layer (code, config, detection)
- ·References (CWE, CAPEC, ATT&CK, papers)
- ·Executive summary (1 page)
- ·Kill-chain narrative with timeline
- ·Finding catalog with appendices
- ·Methodology + framework mapping
- ·Retest delta + current posture
- ·Live dashboard (Jira / Linear / GitHub sync)
- ·Slack / Teams alert channel
- ·Webhook feed for your SIEM
- ·SOC 2 / ISO 27001 auditor export
- ·Atomic tests for your blue team
Frameworks we map to
Every engagement is mapped to published frameworks so your auditors, engineers, and board see the same story — in a language each already speaks.
Penetration Testing Execution Standard — seven-phase engagement lifecycle we anchor all pentests to.
Web Security Testing Guide — our baseline for every web app engagement.
Mobile AppSec Verification Standard and Testing Guide — L2 minimum for every mobile engagement.
Application Security Verification Standard — L3 for regulated environments.
API security baseline, including BOLA / BFLA coverage.
LLM / AI application security baseline.
Open-Source Security Testing Methodology Manual — rigor for structured engagements.
Federal technical-guide framework for security assessments.
Framework alignment for regulated customers (financial, healthcare, federal).
Default mapping language for every red team and PTaaS engagement.
Adversarial ML threat matrix for AI / LLM engagements.
Our toolkit
We're tool-agnostic by default but this is the set we reach for most. Your stack wins over our preference — we'll bring our own if you don't already have one.
Engagement runbooks and report templates are shared upfront with every customer. No vendor-lock mystery. Ask during the scoping call — we'll send the latest.
Your next finding is one scoping call away.
Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.